Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

GRE tunnels with static and dynamic crypto maps possible ?

Dear all,

I have set up a VPN with IOS routers using GRE tunnels over IPSec. It is working fine so far. All my currently connected routers have static official internet IP addresses. Now I am trying to extend the configuration to support as well routers with dynamically assigned official addresses, but I can't get it running (phase 2 SA policy not acceptable).

I am trying "crypto dynamic-map" and the "crypto identity" commands for the dynamic IPSec tunnel. Within the GRE tunnel I have no "tunnel destination" command.

Is this possible to work ? If yes, what am I doing wrong ? Please have a look at the attached configuration fragment from my central site (my dial-in router is configured the same as my static routers):

crypto isakmp policy 100

encr 3des

group 2

!

crypto ipsec transform-set to_vpn esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map dial-in-router 1

set transform-set to_vpn

set identity myhome

match address Location1

!

crypto map mycryptomap 99 ipsec-isakmp

description VPN to Location99

set peer 99.99.99.99

set transform-set to_vpn

match address Location99

crypto map mycryptomap 147 ipsec-isakmp

description VPN to Location147

set peer 147.147.147.147

set transform-set to_vpn

match address Location147

crypto map mycryptomap 202 ipsec-isakmp

description VPN to Location202

set peer 202.202.202.202

set transform-set to_vpn

match address Location202

crypto map mycryptomap 1000 ipsec-isakmp dynamic dial-in-router

!

crypto identity myhome

fqdn myhome.mycompany.com

!

interface Tunnel1

description Location1, dynamic remote IP address

bandwidth 512

ip address 10.227.1.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0 ! no tunnel destination ?!

crypto map mycryptomap

!

interface Tunnel99

description Location99

bandwidth 512

ip address 10.227.99.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 99.99.99.99

crypto map mycryptomap

!

interface Tunnel147

description Location147

bandwidth 512

ip address 10.227.147.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 147.147.147.147

crypto map mycryptomap

!

interface Tunnel202

description Location202

bandwidth 512

ip address 10.227.202.1 255.255.255.252

ip accounting output-packets

ip mtu 1440

tunnel source Ethernet0

tunnel destination 202.202.202.202

crypto map mycryptomap

!

interface Ethernet0

description to Internet

ip address 193.193.193.193 255.255.255.248

ip access-group 140 in

ip access-group 150 in

ip accounting output-packets

half-duplex

crypto map mycryptomap

!

interface FastEthernet0

ip address 10.10.10.10 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 193.193.193.194

ip route 10.0.0.0 255.0.0.0 10.10.10.1

!

ip access-list extended Location1

permit gre host 193.193.193.193 any

ip access-list extended Location99

permit gre host 193.193.193.193 host 99.99.99.99

ip access-list extended Location147

permit gre host 193.193.193.193 host 147.147.147.147

ip access-list extended Location202

permit gre host 193.193.193.193 host 202.202.202.202

!

access-list 140 permit esp any host 193.193.193.193

access-list 140 permit udp any eq isakmp host 193.193.193.193 eq isakmp

access-list 140 permit icmp any host 193.193.193.193

access-list 140 permit gre any host 193.193.193.193 log

access-list 140 deny ip any any log

access-list 150 permit esp host 193.193.193.193 any

access-list 150 permit udp host 193.193.193.193 eq isakmp any eq isakmp

access-list 150 permit icmp host 193.193.193.193 any

access-list 150 permit gre host 193.193.193.193 any log

access-list 150 deny ip any any log

1 REPLY
Cisco Employee

Re: GRE tunnels with static and dynamic crypto maps possible ?

Dynamic Multipoint VPN (DMVPN) is what you want. It's a new feature in 12.2(13)T, explained here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftgreips.htm

This'll make your hub router configuration much simpler, and your spokes can all be a very standard config.

455
Views
0
Helpful
1
Replies
CreatePlease to create content